Organizations understand that verifying and managing identity across applications goes more smoothly when they work from a single source of truth about user identity. For many businesses, this repository of information often exists within an existing Microsoft Active Directory (AD), which has become the standard for managing user identities.
The bad news is that many of the most popular Software as a Service (SaaS) applications can integrate with Security Assertion Markup Language (SAML) but not with AD, which leaves organizations with a messy hybrid identity and access management (IAM) solution. Managing multiple pools of identity increases costs, introduces delays in the development and production processes, and, perhaps most importantly, can frustrate your users and have a big impact on their productivity.
Without SAML, all users would need to maintain different accounts and credentials for each SaaS application used. Forcing users to maintain many credential sets results in password fatigue, where users cope using various insecure techniques, such as a list of credentials on a sticky note or pad of paper. Another coping mechanism is password reuse across multiple accounts, which enables users to remember passwords, but itself exposes the organization to additional risk. Perhaps the biggest cost of password fatigue springs from users’ reluctance to use SaaS applications, dreading the headache associated with managing yet-another-set-of-credentials. Without SAML, the firm ultimately bears the risks and costs of password fatigue through reduced security and lowered productivity.
Extending AD to all SaaS applications would reduce password fatigue since AD can provide the identity information for all your users, but AD cannot directly extend to many critical SaaS applications. To implement the seamless verification of user identity required by the business, organizations need a single source of identity for all applications—whether they are located in an on-premises data center, and made available to SaaS applications via SAML.
Now, here’s the good news: there is a simple and powerful solution to this problem of managing identity across a suite of dispersed applications. F5 BIG-IP Access Policy Manager provides SAML identity services to enable SaaS applications to take advantage of a single identity store like AD. Plus, BIG-IP Local Traffic Manager can integrate with your existing AD deployment, allowing you to unify the identity information for all your users—and act as that single source of truth for your organization. Users authenticate against BIG-IP, which queries Active Directory. After authentication, traffic flows directly between the users and SaaS applications as shown in Figure 1. The combination of AD and BIG-IP Access Policy Manager delivers single sign on capability to your users so that they only need remember one set of credentials for all of your internal and SaaS applications. This one set of credentials can have more secure passwords and even multi-factor authentication to achieve higher levels of security.
Figure 1 SAML using Active Directory
By enabling all your applications—no matter where they are located—to access a single store of user identity, Users will be less prone to reuse passwords or store them insecurely, and more prone to using applications. Administrators will spend less time on password management across multiple systems while having a single source of truth about which users have access to what applications. You can increase user productivity, lessen the burden of IAM management, and take a big step toward boosting the agility of your business.